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ABSTRACT 

This invention relates to a method for generating a shared secret value betv^^een entities (Ei) in a 
data communication system, one or more of the entities having a plurality of members (My) for 
participation in the communication system, each member having a long term private key (Pnj) 
and a corresponding long term public key (Puij). The method comprises the steps of generating 
a short term private (xij) and a corresponding short term public key (Xij)for each of the members 
(Mjj); exchanging short term public keys (Xy) of the members within an entity (i). For each 
member then computing an intra-entity shared key by mathematically combining the short term 
public keys (Xij) of each the members computing an intra-entity public key (Sj) by 
mathematically combining its short-tenn private key (Xy), the long term private key (Pnj) and the 
intra-entity shared key. Next for each entity combining intra-entity public keys (sj) to derive a 
group short-term Si public key; each entity transmitting its intra-entity shared key (Xi) and its 
group short term public (SO key to the other entities; and each entity computing a common 
shared key K by combining its group short term public key (Si), with the intra-entity shared key 
(Xi ) , and a group short term public (Si) key received from the other entities. 
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SPLIT-KEY KEY-AGREEMENT PROTOCOL 

The present invention relates to the field of key agreement protocols in cryptographic 
systems. 

5 

BACKGROUND OF THE INVENTION 

Traditionally, entities communicated on paper and were able to ensure privacy in many 
ways. With the transition from paper to electronic media however, brings the need for electronic 
privacy and autfienticity. In cryptographic schemes, the entities use primitives, which are 

10 mathematical operations together with encoding and formatting techniques to provide security. 
For each scheme the parties participating in the scheme normally agree upon or exchange certain 
information before executing the scheme function. The specific information that needs to be 
agreed upon is detailed for each scheme. Such agreement may be achieved by any means 
suitable for the application. It may be implicitly built into the system or explicitly achieved by 

1 5 some sort of exchange of information with or without involvement from other parties. In 
particular, parties often need to agree on parameters and obtain each other's pubhc keys. For 
proper security, a party needs to be assured of the true owners of the keys and parameters and of 
their validity. Generation of parameters and keys needs to be performed properly and, in some 
cases, verification needs to be performed. 

20 In general, the different types of schemes may be defined as follows. Key agreement 

schemes, in which two parties use their public, private key pairs and possibly other information, 
to agree on a shared secret key. A signature scheme with appendix is a scheme in which one 
party signs a message using its private key and any other party can verify the signature by 
examining the message, the signature, and the signer's cross corresponding public key. In 

25 signature schemes with message recovery, one party signs a message using its private key and 
any other party can verify the signature and recover the message by examming the signature and 
the signer's corresponding public key. Finally, in encryption schemes, any party can encrypt a 
message using the recipient's public key and only the recipient can decrypt the message using its 
corresponding private key. 

30 An example of a key derivation scheme is the MQV (Menezes-Qu-Vanstone). In the 

MQV scheme, a shared secret value is derived from one party's two key pairs and another 
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party's two public keys where all the keys have the same discrete log (DL) parameters. In this 
generalized MQV scheme, it is assumed that the shared secret value is that which is shared 
between two parties. 

However, where each party or entity consists of a collection of parties say A = {Ai, 
5 A2. . .An} and B = {Bi, B2, . . .Bm} where m is not necessarily equal to n and at least one of m or n 
is at least two (that is, not both A and B consist of one individual). It is difficult to implement 
the generalized MQV scheme if these two entities wish to establish a common key in order to 
communicate privately. 

10 SUMMARY OF THE INVENTION 

Accordingly, the present invention seeks to provide a solution to the problem of 
establishing a common key for private communication between entities wherein the entities 
include a collection of sub entities. 

An advantage of the present invention is that all members of each entity must participate 
15 in the scheme and no subcoUection of either entity can impersonate its entire entity. 

In accordance with this invention there is provided a method for generating a shared 
secret value between entities in a data communication system, one or more of the entities having 
a plurality of members for participation in the communication system, each member having a 
long terai private key and a conesponding long term public key, the method comprising the steps 



(a) generating a short term private and a corresponding short term public key for each of 
the members; 

(b) exchanging short term public keys of the members within an entity; 

(c) for each member 

(i) computing an intra-entity shared key by mathematically combining the 
short term public keys of each said member; 

(ii) computing an intra-entity public key by mathematically combining its 
short-term private key, the long term private key and the first intra-entity 
key component; 

(d) for each entity combining intra-entity public keys to derive a group short-term public 



20 



of: 



key; 
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(e) each entity transmitting its intra-entity shared key and its group short term public key 
to the other entities; and 

(f) each entity computing a common shared key K by combining its group short term 
public key, the intra-entity shared key, and the short term public key of the other 
entities. 



BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will become more 
10 apparent in the following detailed description in which reference is made to the appended 
drawings wherein: 

Figure 1 is a schematic diagram of a communication system; and 

Figure 2 is a schematic diagram of a protocol according to an embodiment of the present 

invention. 

15 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Referring to figure 1, a schematic diagram of a communication system is shown generally 
by numeral 10. The system 10 includes a first entity A (12) and a second entity B (14) that 
exchange data over a communication channel 16. Each of the entities A and B include members 

20 Ai, A2, and Bi, B2, respectively. It is assumed the entities A and B include processors for 
performing cryptographic operations and the like. The members Ai, A2 may for example 
represent a first group of users on a local area network (LAN) that wish to communicate securely 
with a second group of users Bi, B2 on a second LAN or even on the same LAN. In either case 
the computations may be perfonmed for the entities A (1 2) and B (14) by for example a LAN 

25 server or the like, provided that each member has its own secure boundary. 

Accordingly, the present protocol ensures that all members of each entity must participate 
in the scheme and no sub-collection of either entity can impersonate its entire entity. 

Furthermore, it is assumed that each entity and it's associated members A, Bj have been 
initialized with the same system parameters. The system parameters for this protocol are an 

30 elliptic curve point P, which is the generating point of an elliptic curve over F:"" of order jc. 
Additionally, each of the members is initialized with respective public and private key pairs. 
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That is, the members A\ has long term private and public key pairs (ai, aiP) and the members Bi 
have long tenn private and public key pairs (bj, biP), respectively. 

The private key of the entity A is then (ai + a2) and its conresponding public key is (ai + 
ai) P. Similarly, for entity B its private key is (bi + b:) and its corresponding public key is (bi + 
5 b2) P. These public keys are published by the entities. 

Now assuming entities A (12) and B (14) wish to agree upon a common key, which may 
then be used for subsequent cryptographic communications between the activities. 

Referring thus to figure 2, a schematic diagram of an embodiment of the protocol 
according to the present invention is shown generally by numeral 40. The member A| generates 
10 a random value xi ( its short term private key, also known as ephemeral or session key) and 
computes a corresponding value XiP( its short term public key), similarly, member A2 generates 
a random value X2 and computes a corresponding value X2P. Preferably 0 < aj < n-1 and 0 < Xj < 
n-1. Next, the members A2 and Ai exchange their session public keys xiP and X2P. This may be 
termed a first intra-entity key exchange. 
15 Next, member Ai computes r = xjP + X2P and similarly, entity A2 computes r = X2P + xiP. 

Thus, establishing an intra-entity shared key. 

Next, each member Ai computes its short term intra-entity public key si using its short 
term private key and long term private key combined with a function f of the intra-entity public 
key, that is Si = Xi -i- ai f (r) (mod n), where f is typically a hash function such as SHA-1 and n 
20 is the order of the curve. Similarly, member A2 computes its intra-entity public key S2 = xa + a2 f 
(r) (mod n.). 

The entity A transmits the intra-entity shared key r to the entity B. The entity A also 
computes an entity or group short term public key, which is derived firom a summing of the intra- 
entity public key of each member s = si + S2 = X|+ X2 + (ai + ^2) f (r) mod n. Entity A then also 
25 transmits the group short-term public key s to the entity B. 

The entity B similarly computes the analogous information using its own public and 
private keys using the same computations performed by entity A. Thus, B computes a intra- 
entity shared key r using the short term public keys of each of the members. Next, each of the 
members in B compute their own intra-entity public key tt = yi + bi f (r ) mod n. The entity B 

30 then sends r to the entity A and computes the group short-term public key t = ti + 12 which is 
transmitted to the entity A. 
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The entity A then computes a value K which is the shared key between the entities A and 

B by computing K = s ( r + (bP) f (r )) = s(t)P. The entity B also computes K using t, r, and 
aP(ors), K = t(s)P. 

Consequently, if a member of the entity A, either Ai or A2, is not present in the scheme 
5 then the group short term public key, s, changes, as does the value for K, Therefore, 

communication with entity B would not be successful without establishing a new session. 
Similarly, if either Bi or B2 is not present in the scheme then the group short term public key, t, 
changes, altering the value of K, In this case, communication with A would not be successful 
without establishing a new session. 

10 Although the above scheme has been described with respect to the elliptic curve systems 

which is an additive group, it may analogously be used in multiplicative groups. Furthermore the 
above protocol although exemplified with two members per entity, may be generalized where 
eachparty or entity consists of a collection of members say A = {Au A2...An} and B = {BuBa, 
. . .Bm} where m is not necessarily equal to n and at least one of m or n is at least two (that is, not 

15 both A and B consist of one individual). The notation may be generalized as follows: 



Ei 


entity i 


Mij - 


member j of entity i 


Pru - 


long term private key of member (ij) 


PUij - 


long term public key of member (ij) 


PUi - 


long term public key of entity (i) 


xij 


short term private key of member (ij) 


Xij - 


short terra public key of member (ij) 


X, 


intra-entity shared key of entity i 


Si 


intra-entity public key of entity i 


Si 


group or entity short term public key of entity i 


Plli - 


long term public key received from the other entities 


Xi 


intra-entity shared key received from the other entities 


Si 


group or entity short term public key received from the other entities 
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Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be £q)parent to those skilled in the art without 
departing &om the spirit and scope of the invention as outlined in the claims appended hereto. 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE PROPERTY 
OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS: 

1. A method for generating a shared secret value between entities (Ei) in a data communication 
system, one or more of said entities having a plurality of members (Mij) for participation in 
said communication system, each member having a long term private key (Pnj) and a 
corresponding long term public key (Puij) said method comprising the steps of: 

(a) generating a short term private (Xy) and a corresponding short term public key (Xij)for 
each of the members (My); 

(b) exchanging short term public keys (Xij) of the members within an entity (i); 

(c) for each member: 

(i) computing an intra-entity shared key by mathematically combining said 
short term public keys (Xij) of each said member; 

(ii) computing an intra-entity public key (Si) by mathematically combining its 
short-term private key (xij), the long term private key (Pnj) and said intra- 
entity shared key; 

(d) for each entity combining intra-entity public keys (Si) to derive a groiq) short-term Si 
public key; 

(e) each entity transnutting its intra-entity shared key (Xj) and its group short term public 
(Si) key to said other entities; and 

(f) each entity computing a common shared key K by combining its group short term 

public key (Si), with the intra-entity shared key (Xi ) , and a group short term public 
( Si ) key received from the other entities. 

2. A method as defined in claim 1, said long term public key being derived from a generator 
point P and respective ones of said long term private keys. 

3. A method as defined in claim 2, said step (a) including each member selecting a random 
integer and multiplying said point P by a to obtain XiP, the short term public key. 
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4. A method as defined in claim 3, said intra-entity-shared key being computed by summing 
said short term public keys XiP. 

5. A method as defined in claim 4, said intra-entity public key Si being derived by computing 
Si= Xi + ai f(ZXiP), where f is a hash function. 

6. A method as defined in claim 5, said group short term public key being derived by 
computing Z Si. 

7. A method as defined in claim 1 , said long term public keys (PUy) being derived fixjm a 
generator g and respective ones of said long term private keys (Pry). 

8. A method as defined in claim 7, said step (a) including the step of each member selecting a 
random integer (Xy ) and ejqjonentiating a fimction h(g) including said generator to a power 
g(xij) to obtain the short term public key Xjj = h(g) ^^'''^l 

9. A method as defined in claim 8, said intra-entity shared key (Xi) being computed by each 
entity multiplying each of its short-term public keys Xy together, 

10. A method as defined in claim I, including the step of exchanging long term public key of 
entity Pui between entities. 

1 1. A method as defined in claim 10, each entity computing a common shared key K by 
combining its group short term public key (Si), with the intra-entity shared key (Xi ) , and a 
long term public key of ( Pui ) received fi-om the other entities. 
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